PeckBirdy Framework Enhances Lateral Movement in Cyber Attacks
PeckBirdy, a script framework designed for advanced lateral movement in targeted attacks, has been identified as a key tool used by China-aligned threat groups. This framework leverages Living Off the Land Binaries (LOLBins) to execute commands and escalate privileges on compromised systems without detection.
How PeckBirdy Works
PeckBirdy is built to exploit LOLBins, common binaries that are already present in most Windows systems, allowing attackers to execute malicious commands without the need for traditional malware. The framework is designed to pivot within networks, using minimal resources while avoiding detection by traditional antivirus software.
Source: Trendmicro – Visualization of how PeckBirdy leverages LOLBins to execute commands in a target network.
The attackers typically use PowerShell scripts or Windows Management Instrumentation (WMI) to initiate attacks, setting the stage for more sophisticated actions, including data exfiltration and remote code execution (RCE). By embedding these scripts into existing system processes, they remain stealthy and can evade typical defense mechanisms.
Targeted Attack Technique
The primary goal of the PeckBirdy framework is to create persistent backdoors into victim networks. It does this by exploiting Windows LOLBins like mshta.exe or rundll32.exe, which are not usually flagged by security tools. Once inside the network, the attackers use remote PowerShell commands to maintain control, execute scripts, and escalate privileges.
Additionally, PeckBirdy incorporates customized C2 communication protocols, which are designed to blend in with normal network traffic, making it harder for defenders to spot malicious activity.
Key Takeaways from the Report
- Advanced Persistence: PeckBirdy is part of a broader strategy to maintain long-term access to target networks, using built-in tools already trusted by system administrators.
- Low-and-Slow Attacks: These groups prefer a low-and-slow approach, avoiding rapid exploitation or wide-spread malware deployment to minimize detection.
- Targeted Exfiltration: The framework allows attackers to exfiltrate sensitive data gradually, ensuring their activities go unnoticed.
IOC Table and CVE References
Indicators of Compromise (IoC) for detection include the following:
| Type | Indicator |
|---|---|
| Malicious Files | peckbirdy-script.exe |
| Command & Control | http://example.com/c2 |
| Registry Key | HKCU\Software\PeckBirdy |
| Network Traffic | Unusual outbound HTTP/HTTPS requests |
| Tools Used | mshta.exe, rundll32.exe |
CVE references:
- CVE-2021-27022: Exploited by PeckBirdy in executing remote commands.
- CVE-2020-0601: Exploited to bypass Windows security mechanisms.
Conclusion
PeckBirdy represents a shift in how attackers are using existing tools to maintain persistence in victim networks. By exploiting commonly available Windows binaries and avoiding traditional malware signatures, this script framework allows for highly stealthy, long-term access. As such, organizations must update their defense systems to recognize these types of attacks and monitor for signs of unusual PowerShell usage, elevated privilege escalations, and remote command execution.
For more details, visit the full Trend Micro report on the PeckBirdy script framework.
.jpg "Common soc challenges")
No Comment! Be the first one.